S0298: Xbot
Analyst context for executives and security teams
Xbot is a mobile malware family described by ATT&CK as Android malware observed in 2016 targeting users in Russia and Australia. Its value for defenders is the set of behaviors ATT&CK links to it: fake GUI prompts for sensitive information, SMS message access, encrypting device data for impact, and endpoint denial of service. For leaders, this is a reminder that mobile compromise can affect more than a handset: it can expose credentials or banking data, disrupt user access, and create incident-response and compliance questions around mobile device management, BYOD, and mobile telemetry.
Executive priority
Treat Xbot as a mobile-risk validation case rather than a current-exposure claim. Security leaders should ask whether managed and unmanaged Android devices have enforceable controls for suspicious apps, phishing-style credential prompts, SMS access, and device lockout or data-encryption events. The business decision is whether mobile security, identity protection, and incident response processes can produce evidence quickly when a user reports credential theft, ransom behavior, or loss of device access.
Technical view
ATT&CK provides no official detection text and no tactics for this object, so SOC and IR teams should anchor validation on the related techniques: T1417.002 GUI Input Capture, T1636.004 SMS Messages, T1471 Data Encrypted for Impact, and T1642 Endpoint Denial of Service. For Android environments, confirm what mobile device management, endpoint/mobile threat defense, identity, and help desk workflows record when an app requests sensitive permissions, presents suspicious credential or payment prompts, accesses SMS content, encrypts local files, or interferes with device availability.
Likely telemetry
- Mobile device management inventory, compliance, app inventory, and device administrator/profile-owner status records
- Android application installation source, package, permission, and update history where available
- Mobile threat defense or endpoint security alerts for suspicious apps, phishing overlays, ransomware-like behavior, or device lockout behavior
- Identity and authentication logs associated with mobile-origin credential use or suspicious sign-in after a mobile phishing report
- Help desk and incident tickets for device lockout, ransom messages, inaccessible files, or unexpected credential prompts
Detection direction
- Because ATT&CK does not provide official detection guidance for Xbot, validate behavior-based coverage against the four linked techniques rather than relying on the malware family name alone.
- Tune mobile detections for suspicious permission combinations and user-reported prompts, but account for false positives from legitimate banking, messaging, device management, and security applications.
- Confirm whether SMS-access monitoring is possible in the local mobile management stack; ATT&CK notes platform constraints, especially that iOS has no standard SMS API while Android can use the SMS Content Provider.
- Review whether ransomware-like encryption or endpoint denial-of-service symptoms on mobile devices generate SOC-visible alerts or only help desk tickets.
- Correlate mobile reports with identity telemetry, since GUI input capture can turn a mobile incident into an account compromise investigation.
Mitigation priorities
- Prioritize mobile device management policy enforcement for Android devices, including app inventory, compliance status, and control over high-risk permissions or administrative capabilities where supported.
- Strengthen user reporting and response playbooks for suspicious mobile credential prompts, SMS permission abuse, device lockout, and data-encryption symptoms.
- Ensure identity controls are ready for suspected mobile credential capture, including rapid password reset, session revocation, and review of recent authentication activity.
- For BYOD or partially managed devices, document what evidence the organization can and cannot collect before an incident occurs.
- Use this object to test mobile incident response handoffs among SOC, help desk, identity/IAM, legal/compliance, and device management teams.
Analyst notes and limits
The supplied ATT&CK object identifies Xbot as an Android malware family observed in 2016 and links it to GUI input capture, SMS message collection, data encryption for impact, and endpoint denial of service. The strongest defensive use is as a scenario for validating mobile phishing, mobile ransomware, and mobile availability response readiness.
ATT&CK provides no official detection text, no tactics, no aliases, and no object-level platform field for Xbot, although the description and relationship context support Android-relevant discussion. This summary does not assert current activity, attribution, prevalence, customer exposure, or guaranteed detection. Local device management, mobile security, identity, and help desk evidence are required to assess real coverage.
Xbot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1642 | Endpoint Denial of Service | Xbot can remotely lock infected Android devices and ask for a ransom.CitationPaloAlto-Xbot |
| Mobile | T1417.002 | GUI Input Capture Sub-technique | Xbot uses phishing pages mimicking Google Play's payment interface as well as bank login pages.CitationPaloAlto-Xbot |
| Mobile | T1471 | Data Encrypted for Impact | Xbot can encrypt the victim's files in external storage (e.g., SD card) and then request a PayPal cash card as ransom.CitationPaloAlto-Xbot |
| Mobile | T1636.004 | SMS Messages Sub-technique | Xbot steals all SMS message and contact information as well as intercepts and parses certain SMS messages.CitationPaloAlto-Xbot |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e8ab27b15e25… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
PaloAlto-Xbot
Cong Zheng, Claud Xiao and Zhi Xu. (2016, February 18). New Android Trojan “Xbot” Phishes Credit Cards and Bank Accounts, Encrypts Devices for Ransom. Retrieved December 21, 2016.
Open source URL -
[2]
Xbot
(Citation: PaloAlto-Xbot)
-
[3]
mitre-attack S0298Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.